]]>Infestor – A cryptoanalysis on the malware Petya.http://seclist.us/infestor-a-cryptoanalysis-on-the-malware-petya.html
Thu, 12 May 2016 04:38:09 +0000http://seclist.us/?p=10913Petya is a relatively new crypt-ransomware that has been spreading in recent months (March – April 2016). When the user executes the PETYA .exe, the Petya then proceeds to overwrite the master boot record and encrypt the entire hard drive, holding the user’s data as hostage until a ransom is paid. However it was discovered that Petya uses a Salsa20 (the 16 bit variation of the salsa stream cipher) to encrypt the hard drive, and ultimately Infestor is a python project dedicated to performing cryptoanalysis on Petya.

Introduction
Online transactions through Tor (5) using anony-mous cryptocurrencies allow for a certain level of privacy when it comes to payments, but also allow themselves to be used in a malicious fashion. Since Bitcoin, the most popular form of cryptocurrency, makes it extremely hard to track the transactions, Bitcoin has become the de facto standard for ran-somware, malware which infects the victim’s com-puter, holds les hostage through encryption, and extorts the victims for money in return for the les. Petya is one such ransomware, except rather than targeting the les of the victim, it targets the mas-ter boot record (MBR) and master le table (MFT) (10). In our experiment, we used a Windows 7 SP1 Home Basic Edition within a VM of 1 processor core and 1 GB of RAM.

infected – petya

Petya is a relatively new ransomware variant, only starting to appear within the early months of 2016. In order to bypass the lengthy process of encrypting each le on the victim’s hard drive, Petya simply seeks to write malicious code to the start of the disk. This code overwrites the MBR of the hard drive with a small kernel that then encrypts the MFT (4).

git clone https://github.com/peixian/Infestor && cd Infestor
pip2 install z3
Notes
+ A live petya sample can be found in the petyaSample folder, exercise caution with this, courtesy of https://github.com/ytisf/theZoo.
+ VMDKTemplate is meant to be used with 010Editor, slightly changed to only display the first grain.

what’s new in 2016, Latest Change 20/2/2016:
+ New Features:
— Patch Command: The patch command allows to easily bypass a call or syscall.
— heap command: heap command provides information on the heap chunk specified as argument.
— xinfo/vmmap/xfiles commands: xinfo, vmmap and xfiles display a comprehensive and human-friendly memory mapping of either the process or a specific location.
— Remote debugging: It is possible to use gef in a remote debugging environment.
— set-permission command: This command was added to facilitate the exploitation process, by changing the permission rights on a specific page directly from the debugger.
— unicorn command: If you have installed [unicorn](http://unicorn-engine.org) emulation engine and its Python bindings, gef integrates a new command to emulate instructions
— trace-run command: The trace-run is meant to be provide a visual appreciation directly in IDA disassembler of the path taken by a specific execution. It should be used with
+ added documentation for trace-run
+ Update gef.sh

GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.

GEF – GDB Enhanced Features.

GEF fully relies on GDB API and other Linux specific source of information (such as /proc/pid). As a consequence, some of the features might not work on custom or harden systems such as GrSec. It has fully support for Python2 and Python3 indifferently (as more and more distro start pushing gdb compiled with Python3 support).GEF supports all the architecture supported by GDB :
– x86
– ARM
– MIPS
– PowerPC

Install GEF:
Setup from repository
The best way to use GEF is through cloning the git repository from GitHub, and source the file from your ~/.gdbinit.
$ git clone https://github.com/hugsy/gef.git # or git pull to update
$ echo ‘source /path/to/gef.py’ >> ~/.gdbinit

One-time setup script
If you only need GEF for a one-time environment (VMs, etc.) that do not have/need git installed, just go with:
$ curl -s -L https://github.com/hugsy/gef/raw/master/gef.sh | sh

Optional dependancies
A few commands were added to GEF to extend its possibilities. It is recommended to install the following modules:
+ capstone highly recommended https://github.com/aquynh/capstone
+ ROPgadget highly recommended https://github.com/JonathanSalwan/ROPgadget
+ python-radare2 https://github.com/radare/radare2-bindings

]]>Eli.Decode is a tool to decode obfuscated shellcodes using the unicorn engine.http://seclist.us/eli-decode-is-a-tool-to-decode-obfuscated-shellcodes-using-the-unicorn-engine.html
Wed, 30 Mar 2016 23:23:36 +0000http://seclist.us/?p=10620Eli.Decode is a tool to decode obfuscated shellcodes using the unicorn engine.
Please note
+ You may have problems or wrong decoded shellcodes…
+ You need the unicorn engine (http://www.unicorn-engine.org/) AND the capstone engine (http://www.capstone-engine.org/) (with the python bindings…).

Please note this is as easy as added / patching values in the “decoders” dictionnary, so… I just need to google it (let me time…). Finally, please note that new architectures might be added if they are supported by the unicorn engine (http://www.unicorn-engine.org/) AND the capstone engine (http://www.capstone-engine.org/).

A tool to support security professionals access and interact with remote Microsoft Windows based systems.
This project was conceptualized with the thought process, we did not invent the bow or the arrow, just a more efficient way of using it. Ranger is a command-line driven attack and penetration testing tool, which as the ability to use an instantiated catapult server to deliver capabilities against Windows Systems. As long as a user has a set of credentials or a hash set (NTLM, LM, LM:NTLM) he or she can gain access to systems that are apart of the trust.
Using this capability a security professional can extract credentials out of memory in clear-text, access SAM tables, run commands, execute PowerShell scripts, Windows Binaries, and other tools. At this time the tool bypasses the majority of IPS vendor solutions unless they have been custom tuned to detect it. The tool was developed using our home labs in an effort to support security professionals doing legally and/or contractually supported activities.
More functionality is being added, but at this time the tool uses the community contributions from repositories related to the PowerShell PowerView, PowerShell Mimikatz and Impacket teams.

]]>SecurityLab is a collection Program vulnerabilities, OpenSSL, and web app attacks.http://seclist.us/securitylab-is-a-collection-program-vulnerabilities-openssl-and-web-app-attacks.html
Sun, 24 Jan 2016 01:49:34 +0000http://seclist.us/?p=9801NOTE: This Post For Education and Security Research Only.

SecurityLab is a collection Program vulnerabilities, OpenSSL, and web app attacks.
—Explaination—Lab1:sploit1
The vulnerability is: strcpy() does not check the number of bits which will be copied into “char buf[96]”, so we overflow the return address of “lab_main()” and redirect the execution of the program to the shellcode we provide which runs a shell terminal.

example-sploit1 in gdb

sploit2
The vulnerability was that the len specified in the program was set to a max of 272. This allowed the attack string to overwrite i and len. The i variable was first overwritten such that it would remain small, so just the last byte of its four was overwritten with 0xb. Then len was overwritten 0x0000011c to enable i to index into buf to reach where the return address laid in memory. The environment variables were necessary to split up the attack string whenever a null byte was needed.sploit3
The vulnerability is: “char buf[64]” is only 64 bytes, but “bar ( arg, buf, 88 )” allows us to write 88 bytes into it, therefore, we overflow the return address of “foo()” and redirect the execution of the program to the shellcode we provide which runs a shell terminal.
sploit4
Similar to sploit2, len could be set to a max of 169 and so len and i could be overwritten. The difference for sploit4 is that there is no indexing into the array using i. Thus, len first has be overwritten to allow enough iterations to overwrite i. The new value of i to be written needs to be at least such that len – i = number of iterations needed to fully overwrite all four bytes of the return address. The environment variables were necessary to split up the attack string whenever a null byte was needed.sploit5
The vulnerability is: passing a certain number of “%x’s” to the “snprintf()” function allows us to change the argument pointer to point to the beginning of the “formatString”. At the beginning of the “formatString” we insert the location of the first 4 bytes of the return address of foo() seperated by NULL bytes. We then pass “%##u%hhn” to “snprintf()” four times to change the first 4 bytes of the return address one at a time. We then let the program continue to run, and once it returns from foo(), it will jump to the beginning of “char buf[1024]” and start executing the shellcode we inserted in there.sploit6
The solution required two fake chunk tags. The first was located on the 8 bytes before the address of q where the double free was called and the second was placed a short distance away. The first tag’s next pointer pointed to the second fake tag. The second tag’s next pointer had the address of the return address, which was copied to the first’s next. It was then dereferenced and overwritten with a value in tmalloc.c’s “arena”, redirecting program execution. Placing the shellcode somewhere after the q region allowed a new shell to be spawned.

Lab2:client
To build upon the sockets already in place, we used SSL, BIO, and CTX objects. The CTX object allowed the client to communicate with SSLv3 and TLSv1 only via SSLv23_method and SSL_OP_NO_SSLv2 parameter. SSL_CTX_set_cipher_list set SHA1 as the class of cipher suites to be used. SSL_get_verify_result, the CA_LIST “ece568ca.pem”, and SSL_get_peer_certificate was used to verify the certificate. Failing a SSL_connect causes the client to output errors from the BIO. X509_NAME_get_text_by_NID, X509_get_subject_name, NID_commonName, and NID_pkcs9_emailAddress was used to extract and check the common name and email from the certificate. SSL_write sent the secret and SSL_read got the server response and checked for errors, whether to continue reading, and when the server finished (closed the connection). Upon connection close, the client responds with its own SSL_shutdown. For cleanup, SSL_free and SSL_CTX_free were used. The buf had to be null terminated at the number of bytes read, otherwise unexpected garbage characters could show up.server
It is very similar to the client. Notable differences are that there is child spawned for every client connection to try SSL_accept and output errors from the BIO if it failed. The SSL_read is done first to react to the client’s SSL_write and needs to be iterated until the secret has been completely read. The buf that stores the client’s message needs to be null-terminated at len due to possible unexpected garbage characters. Then the server does an SSL_write to give the answer to the client. The server-side shutdown is a bit different. The first SSL_shutdown will send a close_notify to the client, but not look for the client’s. Next, shutdown is called to send a TCP FIN required for certain clients and then server calls SSL_shutdown a second time.

Client-Server

Lab3:Attack A. Cookie Theft
For this attack, we insert the “email script” javascript text after “http://zoobar.csl.toronto.edu/users.php?user=”>” so that it will be executed. It must be URL encoded or else it won’t work. The payload is set to “document.cookie” to get cookie information. We quickly reload the page to hide the errors from the user.Attack B. Cross-Site Request Forgery
For this attack, we create a form with fields identical to the “http://zoobar.csl.toronto.edu/transfer.php” “transfer_form” and specify the transfer of 10 zoobars to “attacker” in the form. We submit the form to an <iframe> instance of “zoobar.csl.utoronto.edu” and imitate a “send” button click. Finally, we listen for when the form is submitted and quickly redirect to “http://ece568.csl.toronto.edu/”.Attack C. Password Theft
For this attack, we create a form with fields identical to the “http://zoobar.csl.toronto.edu/login.php” “login_form” and submit it with a “special” “username.value” string. The “special” string is constructed such that its content will be evaluated and it will listen for a “Log in” button click and send the “username”,”password” using the email script. Certain sections of the string must be escaped for it to process without errors. We use “event.preventDefault();” to stop all actions until email script has been processed. We also have “image.onerror” to listen for when email script is starting to be processed, and then remove listener and click login button so that everything appears as normally would for the user.Attack D. Profile Worm
The vulnerability is that there is an eval on document.getElementById(‘zoobars’).className. The malicious profile text consists of a span element that contains the same id ‘zoobars’ as an existing element. Since this inserted span element comes first, the eval will now be passed an arbitrary string as the class name. Two iframes are created, one to transfer 1 zoobar to the attacker and the other copies the attacker profile to the viewer profile. To set the attacker profile to appear to have 10 zoobars, the string contains “total = 10;”. This initializes total and since the later assignment to total will fail, total remains unchanged.

Lab4:4.1
For this part, we specify the email_scope to be “email” so that we have access to the client’s email information and also the principle of least privilege is satisfied.4.2
Before calling getPeopleInfo(), a new, similar function validateToken() is used. An XMLHttpRequest is created to get the token info for a particular access token. On a good request (status 200), the request’s responseText is parsed into JSON and the value for the audience key is compared with the client ID. If it matches, the given access token was actually for that client and getPeopleInfo() can be called to display profile information. Otherwise, no profile info is shown and the validity check is shown to have failed.4.3
For this part, we implemented drive() to handle the authentication process. We first check if the client already has an authentication code, if not, we redirect them to the Google Login API which will prompt the client to log into their account and grant access based on the SCOPE we provide. Once the client is successfully authenticated, we retrieve the client’s credentials by providing their authentication code and store the credentials in a file locally.4.4
Extending drive() after 4.3, the access token from credentials is applied to an Http object. A Google+ API service object is created to get the person info of the authenticated user (‘me’) and write it to profile.out. Then, a Google Drive service object is created to upload (insert) a file with the body containing specified metadata and the media_body containing profile.out.Usage:

]]>BufferAttack is an Various Methods of Buffer Attacks.http://seclist.us/bufferattack-is-an-various-methods-of-buffer-attacks.html
Sun, 10 Jan 2016 17:01:56 +0000http://seclist.us/?p=9614BufferAttackis an Various Methods of Buffer Attacks, plus implementation of preventive technique using sandboxing.

Trigger Debug with commandobjdump -d ./trigger

Now you can see it; if arg=1 and argv=0xb….. at trigger c+4 it can hack hello, helloa, hellob until hellod

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)

Attack Scenarios:
The last lines after sh.getshell is your shellcode to execute wherever you want.
To completely finish your action you can do next steps:
1. run gdb victim
2. exec victim with params (count of “A” “B” “C” letters you must find experimentally to have $EIP be filled with only letter “B” – 42 code):

Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

Empire Module Menu

Initial Setup:
Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify, and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
Running ./empire will start Empire, and ./empire –debug will generate a verbose debug log at ./empire.debug. The included ./data/reset.sh will reset/reinitialize the database and launch Empire in debug mode.

Netool: its a toolkit written using ‘bash, python, ruby’ that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address.

Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM(phishing – social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage.

Recently was introduced “inurlbr” webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag –comand-vul)

]]>RC-EXPLOITER v1.1.6 released.http://seclist.us/rc-exploiter-v1-1-6-released.html
Mon, 19 Oct 2015 13:20:56 +0000http://seclist.us/?p=8533DISCLAIMER:
The author does not hold any responsibility about the bad use of this script remember that attacking targets without prior concent its ilegal and punish by law, this script as build to show how msf resource files can automated tasks.

Scanning WAN networks In search of targets may take 10 to 15 minutes depending of your network connection, and will search In 1024 random hosts For the selected service/port, also the File ‘brute.txt’ may be edited to insert new entrys, or we can provide the full path to another dicionary File to be used In brute-forcing services.

Features:
1º – scan in WAN for selected port (service) open
2º – port hosts found to msf database and set global variables (msfdb.rc)
3º – runs the conrrespondent exploit.rc (ssl.rc) againts all RHOSTS set before.work flow:
1º this script will ask (to the attacker) to input the port number to search
2º then uses nmap to search in WAN networks for the specified port open
3º builds a resource file (.rc) to port the targets found to msf database
4º starts msf db and lunch the correspondente exploit.rc file againts all targets

Note:
“all ‘exploits.rc’ will use nmap nse script engine and msf auxiliary modules to exploit the target And each discovered matching login and password will create a Metasploit session”.